~$ Advent of Cyber 2022 - Day 9
Question 1
Deploy the attached VM, and wait a few minutes. What ports are open?
Run nmap -sV -sS $IP
![Screenshot of an 'nmap' output, showing only the port 80 open.](assets/images/walkthrough/thm/aoc-2022/day09/1.png)
Answer: 80
Question 2
What framework is the web application developed with?
Browse to the page.
![Screenshot of the web page.](assets/images/walkthrough/thm/aoc-2022/day09/2.png)
Answer: Laravel
Question 3
What CVE is the application vulnerable to?
We search for laravel
and use the info
term to get the details of the CVE.
![Screenshot of exploit-db results for laravel.](assets/images/walkthrough/thm/aoc-2022/day09/3.png)
Answer: CVE-2021-3129
Question 4
What command can be used to upgrade the last opened session to a Meterpreter session?
From the explanation we find:
![Screenshot of meterpreter output.](assets/images/walkthrough/thm/aoc-2022/day09/6.png)
Answer: sessions -u -1
Question 5
What file indicates a session has been opened within a Docker container?
From the internet: /.dockerenv
Answer: /.dockerenv
Question 6
What file often contains useful credentials for web applications?
See (Question 4)
Answer: .env
Question 7
What database table contains useful credentials?
We find the table schema dump, there is a table called users
:
![Screenshot of the metasploit output of a postgresql connection.](assets/images/walkthrough/thm/aoc-2022/day09/7.png)
Answer: users
Question 8
What is Santa's password?
Answer: p4$$w0rd
Question 9
What ports are open on the host machine?
We run proxychains -q nmap -n -sT -Pn -p 22,80,443,5432 172.17.0.1
:
![Screenshot of a command being chained to the host.](assets/images/walkthrough/thm/aoc-2022/day09/9.png)
Answer: 22,80
Question 10
What is the root flag?
We login with the credentials and get the root flag:
![Screenshot of an SSH session.](assets/images/walkthrough/thm/aoc-2022/day09/10.png)
Answer: THM{47C61A0FA8738BA77308A8A600F88E4B}